Award-winning news, views, and insight from the ESET security community

BadUSB potential not as widespread as originally thought, but remains difficult to avoid

The BadUSB malware which potentially turns any USB stick into a 'unpatchable' malware carrier doesn't quite have the potential for mayhem it was originally feared, according to the researcher who uncovered the exploit.

The BadUSB malware which potentially turns any USB stick into a ‘unpatchable’ malware carrier doesn’t quite have the potential for mayhem it was originally feared, according to the researcher who uncovered the exploit.

The recently available BadUSB malware which potentially turns any USB stick into a ‘unpatchable’ malware carrier doesn’t quite have the potential for mayhem it was originally feared, according to the researcher who uncovered the exploit.

Karsten Nohl, who discovered the exploit back in July, has been doing some follow up research, and presented his findings at the PacSec security conference in Tokyo on Wednesday. Wired reports that after analyzing every USB controller chip available from the globe’s eight biggest manufacturers, the exploit would only work in roughly half of the chips, with the other half ‘immune to the attack’.

The catch is that figuring out which USB sticks are immune to the BadUSB malware is virtually impossible for the average customer, without opening the device up and physically checking.

“It’s not like you plug into your computer and it tells you this is a Cypress chip, and this one is a Phison chip. You really can’t check other than by opening the device and doing the analysis yourself,” explained Nohl, adding that, “the scarier story is that we can’t give you a list of safe devices.”

The results of the research is a strange mix to unpick as Myce explains, with all of Phison’s chips vulnerable, but none of ASmedia’s. USB 2 standard chips from Genesys weren’t susceptible, but their USB 3 chips were.

Things get more complicated when you consider than USB sticks don’t advertise the kind of chip they have buried inside – and as Wired points out, even if there were a reliable way to find out, manufacturers sometimes switch their chip supplier “even in the same product, to take advantage of whichever supplier can give them those semiconductors for a few pennies cheaper that month.” At the Shmoocon conference it was revealed that Kingston, for example, used ‘half a dozen different companies USB chips’ in their products.

“Some people have accepted that USB is insecure. Others remember BadUSB only as the Phison bug. That second group needs to wake up to the same level of awareness of the first group,” urged Nohl. “For practical purposes, it affects potentially everything.”